Win32 PE virus tutorial

Win32 PE virus tutorial

Author: koms bomb

Readers of this article:

1. Be familiar with Win32 assembly. Do not understand Assembly, only understand VB? Yes, VB can also write "viruses", but isn't that terrible?

2. Familiar with PE structure. Faint! If you don't even know the structure of the PE file, who else will be infected.

3. Do not hate viruses if they are "serious. As this article contains components that may lead to dissatisfaction with PC users, if you do not like viruses, please leave quickly.

4. If you are a virus expert, don't laugh at the superficial content in this article. This is the first entry.ArticleIt is hoped that a large number of Chinese viruses will emerge.

5. This is the most basic entry-level technology for virus writing. If you are really a master (Are you really a master? How can you really be a master ??? :)), You don't need to read it.

1. How do I obtain the address of the Kernel32 API?

The virus does not have an import table, and it is no longer fashionable to grab the host. Program Import table.

Currently, the common technology is to search for the base address of Kernel32 from the 4G address space, and then find the address of the required API from the export table of Kernel32. Once the Kernel32 API is available, it is easy to import the APIs of other DLL files. At least loadlibrarya and getprocaddress can be used (well, the basic method ).

First, determine the base address of Kernel32.

This address varies with 98,2 kb and XP. Note: A good virus cannot rely too much on the features of a certain OS, so we cannot write a dead 77e80000 in the virus. So we need to find out. Generally, when a program is executed, Kernel32 is mapped to its address space, which is why we can search for its address.

Check the base addresses of the three operating systems. 98 is bff70000, 2 k is 77e80000, XP is 77e60000, and OK are all above 70000000. We can start from here. Of course, if one byte is searched, it is too slow. Generally, DLL is located at the 1 m boundary, so we can take 10000 as the span.

Another problem is that 4g space is not completely readable, and a GPE error occurs when a location is found. What should I do? Hmmmmmmmmmmmm, M $ has come up with this point. In Win32, a technology called seh is provided, which can help you throw errors and keep your program running without crashing. The specific method of writing seh in assembly is as long as several commands, you can find some viruses on your own.

Note that the PE file is similar to the image in the memory, so we can search for Kernel32 in the following way.

EBX-> current address, now is 70000000 H

Set seh Frame

#1

EBX = EBX + 10000 h

If EBX = 0 then is depressed. Kernel32 not found ??? Whether the host is crashed or returned is yours. I have nothing to say.

Word PTR [EBX] = ''zm ''? No, Goto #1

Eax = EBX + 3ch

Eax = EBX + [eax]

Word PTR [EBX] = ''ep ''? No, Goto #1

Now we are sure this is a PE image, let's look up whether it's a DLL, if not, Goto #1

Then check the export DLL name, if it's not ''Kernel32. dll'', Goto #1

Now go into it's export table, get the APIS address which we use to start our smart work, Hahahaha.

Remove seh Frame

......

Seh handler:

Resume to #1

For details, let's study it on our own. Currently, most Win32 viruses use this process. Of course, the specific implementation methods are different.

2. What then?

Remember the truth written by a virus: The sooner the Host Program is returned, the better. Otherwise, an obvious delay will cause a pretty user (? Pretty girls generally do not understand computers very well. (Voiceover: I have seen female programmers who are pretty girls) ^_^) doubt. So we should immediately allocate a piece of memory, copy ourselves into it, create a virus thread there, and then immediately return the Host Program. Now, the host program is running normally, and our virus is also officially started. hoho begins our demon journey.

3. Try to infect as soon as possible!

Infection is the foundation for a virus to survive for a long time, so we need to search for it on a large scale, and then infect it!

Findfirstfile, findnextfile, and findclose. Unless you hook some system APIs (see win32.kriz), these three APIs are essential for Win32 virus, such as search, infection, and infection. I don't need to talk about the specific search method :).

4. How to infect?

Currently, Win32 viruses are divided into two mainstream types, the most common of which covers the relocation of the last section of the Host Program, or directly after the last section to expand it. This technology is very simple. For example, see funlove. This technology is generally used for viruses with complicated polymorphism engines.

The second type is to insert yourself into the host as much as possible like elkern. For the PE file compiled by VC, its file alignment is 4 K, therefore, the gaps between sections may add up to 4 K, 5 K, which can accommodate the next Win32 virus. This technology is more troublesome and complicated to debug. elkern is popular. (The CIH method is similar, but it is a Win95 virus, not in this tutorial ).

5. What should I do?

To survive, we need to stay in the memory for as long as possible, rather than the Host Program is finished at the end (many early Win32 viruses are like this :(). There are also two methods. One is to drop a file in the system directory like funlove, and modify the registry or create a system service. This method is common and common. Most viruses, including worms, do this. However, releasing a file is too easy to notice. Another way is to infect all running processes. Good method: it is easy to implement in Win2k, createremotethread. However, to implement it on all Win32 platforms, it requires a relatively high skill and is not within the scope of this tutorial.

Of course, if you can write a ring 0 virus that works on all Win32 platforms, then I will take you. This is not impossible, but the virus will be big, boring, and not universal.

6. How to quickly infect

Remember the two most basic

1. Search for as many files as possible without notice. When you write a virus, run it. If it can search 15000 ~ 20000 files, but you have not heard of the hard drive, so congratulations, your virus can be infected quickly.

2. Use file mapping APIs instead of readfile and writefile. The latter is slower.

7. The size of the Win32 virus is recommended.

The answer is: the smaller the better, the better ~ Between 6 K (depressing, the bottom line is like my monthly salary :(). Nowadays, some young people who specialize in virus research are writing more and more viruses. The minimum metamorphism virus is 80 K, and hmmmmmmmmmmmmmm. No, that's not the case. It's a big stuff, it is too easy for users to discover. I believe that Polymorphism or metamorphism is not the most important. Generally, users will not disassemble your virus.CodeAnd the metamorphism engine must be killed by avers. Therefore, the proper polymorphism can lie to the girl. Do you believe that funlove does not have any encryption or polymorphism. Isn't it the most popular Win32 virus? If you are keen on metamorphism, we recommend that you do not write viruses. Instead, you can write discycler in another row to win more than IDA pro.

I originally wanted to write it in English, so I went global. However, my bad English is understandable to foreigners, but Chinese people do not necessarily understand it, so I will first write my first virus teaching article in Chinese, and then translate it into English.
after reading the simple tutorial above, add your own research efforts and refer to the source code of Source Code , I believe you can easily write a Win32 virus. Don't be afraid that others will laugh at your virus and write it with confidence. After writing it, don't forget to show it to me * ^__ ^ *.
if you want to study the details that I have not mentioned, try not to ask me. If you write a virus with my help, your virus level will not exceed me. I hope everyone will surpass me in terms of virus levels and carry forward the Chinese virus business.